27.3. Pursuing and Capturing the Intruder

If you discover a security incident
-- particularly one in progress -- you're going to be
tempted to go gunning for the bad guys who are invading your system.

Going after the bad guys has a certain emotional appeal, but
it's generally not very practical. There are a variety of
approaches you can take, but there are also a variety of technical
and legal hurdles.

For an appreciation of the problems involved in hunting down an
intruder, see Cliff Stoll's book, The Cuckoo's
Egg (Doubleday, 1989). In the late 1980s, Cliff was a
system manager at Lawrence Berkeley Labs. While tracking down a minor
inconsistency in the accounting system LBL used for computer time
billing, he discovered evidence that an intruder had broken in over
the Internet. He spent many months on an odyssey trying to chase down
the attackers. Although Cliff succeeded admirably (and wrote an
entertaining and useful book to boot), few of us are going to be able
to emulate his feats. Most sites just don't have the time and
resources to track their attackers the way Cliff did; most are going
to have to be satisfied with simply getting them off their systems.

Tracking down intruders for legal action is always a long and
involved process. Having it take months is actually unusually fast!
In general, the process of prosecuting an intruder, or group of
intruders, takes a year or more. Be prepared for a long and
frustrating process. It can be extremely educational -- you may
learn more about the legal system and the phone system than you
really wanted to know. It also can be a complete let-down; you call
three law-enforcement agencies, two of which can't figure out
how to do anything about a computer break-in, and the third of which
says something noncommittal and takes down contact information. This
might mean, as you will probably suspect, that they don't care
and are going to ignore you, or it might mean that they are already
nine months into an investigation of this intruder with the help of
other sites and don't want to give you any information that
might somehow get back to the intruder. You might find out when they
call back and ask you to testify or to estimate damages. You might
find out in the newspaper. It is worth doing your best to report
these incidents anyway, but don't expect much from the
experience.

There are two main problems in tracking down intruders: one is
technical and the other is legal. The first problem is that tracking
an attack back to its ultimate source is usually technically
difficult. It's usually easy to tell what site an attack came
from (simply by looking at the IP addresses the attacker's
packets are coming from), but once you find the apparent source of
the attack, you usually find out that the attack isn't really
being carried out by a user from that site. Instead, it's very
likely that the site has itself been broken into, and it's
being used as a base by the person who attacked you.

If that site traces its own break-in, it will usually discover the
same thing: the attacker isn't wherever the attacks appear to
be coming from. Moreover, where the attacks appear to be coming from
is simply another site in the chain that's been broken into.
Each link in the chain between the attacker and you involves more
sites and more people. There is a practical limit to how far back you
can trace someone in a reasonable period of time. Eventually,
you're probably going to run into a site in the chain that you
can't get in touch with, or that doesn't have the time or
expertise to pursue the matter, or that simply doesn't care
about the attack or about you. As Figure 27-1
illustrates, these are many links in any network connection.

Figure 27-1. A network connection has many links

Furthermore, at some link in the chain, you are likely to discover
that the attacker is coming in over a telephone line, and tracing
telephone calls involves whole new realms of technical and legal
problems.

You may well find the same attacker coming in from multiple sites. In
one incident, responders kept correcting each other, until they
realized that nobody was confused; one set of people was referring to
SFU (Simon Fraser University, in Canada) and the other to FSU
(Florida State University). The similarity of the abbreviations had
momentarily concealed the fact that two separate sites, physically
distant from each other, were being concurrently used by the same
attacker. The attacker had not started from either of them, and when
SFU and FSU closed down access, identical attacks starting occurring
from other sites.

Be wary when using email or
voicemail to contact administrators at other sites when tracking down
an intruder. How do you know it's really the administrator
that's receiving and responding to your messages and not the
intruder? Even if you're sure that you're talking to the
administrator of a site, maybe the intruder is
the administrator.

The second problem is legal. You
might contemplate leaving your site "open", even after
you're aware of the attack, in hopes of tracking down the
attackers while they're using your site. This may seem like a
clever idea; after all, if you shut down your system or disconnect it
from the Internet, the attackers will know they've been
discovered, and it will be much harder for you to track them down.

The problem is this: leaving your site open doesn't just risk
further loss or damage at your own site. What the attacker is
probably doing at your site is using it as a base to attack other
sites. If you're aware of it, and do nothing to prevent it,
those other sites might have grounds to sue you and your organization
for negligence or for aiding the attacker.

If you're dealing with someone who's attacking your
system unsuccessfully, there's less risk. It's polite to
inform the site that the attacker is apparently coming from, so the
system administrators there can do their own checking. It also lets
you straighten out people who aren't really trying to break in,
but are just very confused. For example, attempts to log in as
"anonymous", even extremely persistent ones, usually come
from people who have confused FTP with Telnet and simply need better
advice. Most sites are grateful to be told that attacks are coming
from them, but don't be surprised if universities seem somewhat
bored to hear the news. Although they will usually follow up, large
universities see these incidents all the time.

You'll also find that the occasional site is uninterested,
hostile, or incapable of figuring out what you're talking
about, and it's not worth your time to worry about it unless
the attacks from the site are persistent, determined, and technically
competent enough to have a chance of succeeding. In this case, you
should enlist the assistance of a response team.